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Key Findings 


IDENTITY IS THE KEY 


As the saying goes, go for the lowest hanging 


fruit. In phishing, that fruit is the credential. 


Credential harvesters are the most common 


threat type in email. 


Nearly 10 percent (9.3%) 
of malicious attacks involve 
credential harvesters. 


Why bring a battering ram, when you can 
just steal the keys to the door? Attackers look 


for the path of least resistance, so if you can 


spend three minutes crafting an email to steal 


credentials versus spending hours devising a 


way past firewalls and other protections, why 


wouldn’t you go that route? 
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LOW VOLUME, 
HIGH RETURNS 


Business Email Compromise (BEC) is the 
latest example of researching your target. 
They involve a lot more care and feeding 


than traditional phishing attacks. 


Although BECs make up a tiny volume 
of attacks, they represent the highest 
financial damage. In our data, BEC 
acccounted for 1.3% of attacks 
but would have resulted in over 
$354 million in direct losses. 

The average BEC request in our 
findings is nearly $1.5 million. 


TRUST NO ONE, LEAST 


OF ALL YOUR “FRIENDS” 


Identity deception using tactics like 
spoofing, domain impersonation and 
display name impersonation is used in 
nearly 9% of attacks. 


These attacks showcase the ease at which 
people can deceive the common user to 
gain access to their goals. In many cases, 
it’s as simple as a display name change 

to seriously wreck someone’s weekend 
and lose trust in who they’re dealing with. 


Speaking of trust... 
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Key Findings — continued 


THE ENEMY YOU KNOW 


What’s even better than pretending to be Jan from accounting? 
How about being America’s favorite retailer with a special offer just 
for you! Attackers impersonate known brands to add legitimacy to 


phishing campaigns. 


The top 10 most impersonated brands make up over 
56% of all impersonation-based phishing attacks. 


These attacks will always present a challenge to most users. 


Things like the latest trends in the news or entertainment 


can spell big bucks for attackers. 
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WHAT ABOUT SPAM? 


End user training does wonders in helping foster a culture of security 
in an organization. However, not every end user has their CISSP. True 
positive phishing submissions are amazing for the safety 


of an organization. 


However, more than 92% of user-reported phish are not 
malicious and are actually benign, spam or bulk mail. 


Training isn’t enough to stop the white noise heard by 


the security admins. 
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It Started out with a Phish 
How did it end up like this? 


Unlike the song by The Killers, there isn’t a “brightside” Here are the analyzed threat samples we discovered from 
to phish. (And you can blame us for getting the song May 1, 2020 to April 30, 2021 broken down below by volume. 


9.33% 8.96% 8.96% 3.31% 92.27%) 


stuck in your head.) 


With unerring consistency, almost all breaches begin with an 
innocuous looking phish or an email. Low tech, low maintenance 
and practically free, phishing can be a profitable business model 


for attackers with low infrastructure costs due to the prevalence 


of inexpensive cloud-based email providers like Gmail. By using 


these legitimate hosting services, attackers can sneak under | EEDENI. AEST cg) Fae Sue 2.39% 

5 > , 4 ; E IDENTITY DECEPTION E scam 1.48% 
the email security radar straight into inboxes. i 

E ink E sec 1.29% 
7 F . E ATTACHMENT E oroprer 0.37% 

What looks like an harmless email from a long-standing E EKTOR E omer 0.11% 
vendor or even a routine email from the IT department can 
harbor devastating consequences if clicked, leading to 
shutdowns, loss of data or even financial costs in the millions. 
We cannot stress enough the importance of stopping these (Detailed threat type descriptions can be found in the Appendix of the report.) 


threats before they reach users. 
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7 OF ATTACKS INVOLVED 
O CREDENTIAL HARVESTING 
e 


IMPERSONATED SENDER: 
NO-REPLY@SHAREPOINTONLINE[.]JCOM 


| tl 


. SharePoint Online | via sharepoint@ie aa <no-reply@sharepointonline.com> 3:06 PM 
You have received a new file via SharePoint 
To: = = 
Reply-To: SharePoint Team 2 REPLY-TO MISMATCH: 
HELP.DESK.MESSAGE.ALERT@MAIL[.JCOM 


eee 


P SharePoint 


Your organization has shared a secured document with 
you via Microsoft ShareF 
3 IMAGE OFA 


SHAREPOINT EMAIL 
T March Financial Reports & 


This attachment only works for the direct recipient of this message. 
Sign in with your Microsoft account to access the shared files 


HTML ATTACHMENT CONTAINS 
CREDENTIAL HARVESTER 


Sign in to view the document 


— e e 


Cf 
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Credential Harvesters: 
Compromised Identities 


When users open the front door, attackers don’t need any backdoors. 
The largest threat type by volume in our findings, credential harvesters 
can refer to either the attack method or malware that steals a user’s valid 


password, which is then used to gain access to unauthorized data. 


Also considered a type of social engineering attack, credential harvesters 
typically start as a phishing email with a link to a fake login page made 
to look like a legitimate organization’s site. Alternatively an email with 
weaponized attachments can also install credential-harvesting malware 


onto an end user’s system. 


While the websites and lures used range in sophistication, the most 
convincing attacks require advanced technology and trained security 
analysts to identify. By impersonating recognized brands and using 
legitimate cloud hosting services (e.g. Google Drive, Microsoft OneDrive, 
etc.) as part of their attack infrastructure, these attacks can bypass 


security systems and “security aware” users. 
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Supply Chain Attacks 


Targeting Organizational Weaknesses (aka Your “Friends”) 


The SolarWinds and Kaseya incidents catapulted 
supply chain attacks into the spotlight due to its 
widespread impact and continued repercussions. 
As in this case, where many of the victims were 
renowned security organizations themselves, 
anyone can become a victim when attackers 


exploit trusted partners and third-party vendors. 


Supply chain attacks don’t all require 
surreptitiously sabotaging software to succeed. 
In fact, phishing attacks are one of the most 
common ways to start a supply chain attack. By 
compromising a trusted partner first, attackers 
can launch business email compromise (BEC) or 
ransomware attacks that result in financial loss in 
the millions. We’ll explore these two attack 


types in more detail in the following sections. 
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TOP 7 ATTACK 


TECHNIQUES 
USED IN 
SUPPLY CHAIN 
ATTACKS 


Compromised 
Partner Account 
+ New Domain 


Attacker uses a new 
domain to send out 
phishing campaigns or 
reference new domains 
within a message from 
a compromised partner. 


Compromised 
Partner IP 
/ Domain 


Attacker compromises 
a known good 
organization, sends 
messages using 

their domain and 

IP address. 


Compromised 
Partner Account + 
Malicious Payload 


Attacker compromises 
a partner, leveraging 
a known employee 
name to send out 
messages containing 
a malicious payload. 


Compromised 
Partner Account 


Attacker compromises 
a valid organization. 

In some instances, 
organizations sending 
out phishing campaigns 
may be fronts or owned 
by threat actors. 


Compromised Partner 
Account + Infiltrated 
Supply-Chain BEC 


Attacker uses a 
compromised partner 

to send out BEC 
messages with no 
payload, often hijacking 
benign email threads 

to divert payment. 


Compromised 
Partner Account 
+ URL Campaign 


Attacker uses a 
compromised partner’s 
domain to send phishing 
emails with links that host 
credential harvesters or 


malicious payloads. 


Partner Spoofing 


Attacker spoofs 

a partner without 
actually compromising 
the partner. Domain 
spoofs or registered 
look alike partner 
domains are common. 
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Business Email 


Compromise (BEC): 


Low Volume, Low 
Werela, talicdal (Poh owls 


BEC attacks range from the easily recognizable 
spoofed sender to sophisticated supply chain attacks. 


Type 3 and Type 4 both rely on exploiting established 
trust with existing partners and vendors. By adding 

in tactics like spoofing sender domains, hosting 
attachments in legitimate services and using timely 
lures, these malware-less attacks can create detection 
challenges for many security systems. Many Type 4 
BECs also use partner account-takeover attacks 
where the partner victim is unaware they have been 
compromised. Later, the attacker pivots the thread 

to the attacker account to divert payment. 


8 / 2021 SECURITY REPORT / ©2021 


TYPE 1 
Spoofed Executive, 
Sender or Domain 


e CXO as lures 

e Inter-organization 
impersonation via 
spoofed sender 
and domains 


TYPE 2 
Compromised 
Employee Account 


eee E Ü m ~ © Moveto.. 


Caroline mamma February 16, 2021 at 12:09 AM e Employees as lures 
[EXTERNAL] Updated Terms, Current Statement & Pending Invoice A intra-organization 


To: undisclosed-recipients:; 


impersonation via 
employee account 
takeover 


This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with links and attachments. 


Pete note ta we have change our payment erms on rar al pending nes wil be on et 30 days ce, tac is our updated ts and conto, 
we have also attached a copy of your current statement for your TYPE 3 


This is another reminder that we are yet to receive the $57,400 owed on invoice #10237. Please be aware that, as per my terms, we may charge you additional interest - 
sage nme an in oct aca etme oe oe coat Spoof Impersonating 
hittps:/Wweb tresorit. com/ Supplier 
Kind regards, 
Caroline ams 
TYPE 4 
Infiltrated Supplier / 
BECS MADE UP ONLY 1.3% OF ATTACKS Supply Chain Attack 


BUT WOULD HAVE RESULTED IN OVER s 
e Supply chain / partner 


employees as lures 


Inter-organization 
impersonation via 
spoof or supplier 
account takeover 
Long con with delayed 
call-to-actions 
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Business Email Compromise (BEC): continued 


BEC TYPE 4 EXAMPLE 


These attacks use partner š 
account-takeovers to 

hijack legitimate, benign 
conversation threads before 


pivoting the conversation to 


the attacker’s account 


THE AVERAGE BEC 
REQUEST IS NEARLY 


si 


THE MEDIAN 
BEC ATTEMPT 
IS OVER 


200K 


MILLION 
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ee 5 a Ga Oo om. 


O won Re prema me ea 


Hi Tanya, 
Thank you for the information. 


Planse be informed fhal a stait member was diagnosed wih Coid 19 last week, so were working from home for oslfeolalion and hence wa won't ba abie to 
receive check payment till further notice. 


Please kindly advise you could initiate ACH/wire transfer on the advised payment date ; I will send subsidiary LLC bank information to receive payment at the receipt of your 
confirmation. 
Looking forward to your swift response on this. 


Thank you, 

Yannick Sma 
‘Yannick le 
=m 


z = da 


From: Tanya ssm 

Son: Tuesday, Apri 13,2021 030 AM 
To: Yannick isyan. - 

Subject: RE: [EXTERNAL] sal “all “HAE Invoices - Febna 


Hi there, © 
7 
[] 


Looks like the expected payment date is April 27", 2021. It should come via check. 


Do you need anything else from me? 
Tanya 


$4+ Million BEC fraud stopped 


The attacker compromises a partner’s account 
(“Jeffrey”), then hijacks a benign conversation 
thread. Sending from a malicious look-alike 
domain, the attacker pivots the thread to 

the attacker’s account. The look-alike sender 
domain is identical to the benign sender domain 
but ends in .co instead of .com. 


$250K BEC fraud with COVID lure stopped 


The attacker compromises a partner’s account 
(“Yannick”) to hijack a benign email thread, 
pivoting the thread to the attacker’s account. 
COVID lures are used to make the attack more 
convincing and timely. The malicious look-alike 
sender domain used is nearly identical to the 
benign sender domain; the attacker just added 
an extra letter (e.g. “buy.com” vs. “buvy.com” [not 
the actual domain used]). 


Greg, 
(an you panne cance eck ne put «sap payment on N? We a yat w moevn to check eleven wen we dD, w mtb sf race check cx Sap 
ua an ongoing au issue were experenang, payments are geting returned, some are on hold and never returned or credited UI date and we cont want 


I Ike to inform you that al payments from now on should be sent to our new account via electronic 


Moving forward, payments orty {wire/ACH). Please let me know if you wil 
De able to make a wire ranster or ACH payment for this payment so | can provide you wth cur account information in order io avoid delays with this transaction. 


Please let me know i you have any questions. 


x 
N _On Tue, Apr 27, 2021 at 11:36 AM Grog I Tn T wrote: 
| Kwas mated over the weekend 


Bog tom my Prone 

ON AÇ 27, 2021, a 11:17 AM, Jofrey wrote 
N 

Hi Greg, 


Can you please advise on when the outstanding balanco for this transaction wil bo paid? Please lot mo know as Iv got important 
information to share with you regarding our new payment options to be used for this transaction. 


Your swift response is greatly appreciated. 
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Ransomware: The End Stage 


High profile cases of ransomware such as the Colonial Pipeline 
attack, which also used credential harvesting, by now-defunct 
ransomware group DarkSide have prompted federal government 
warnings on their severity and disruption to services, not to 


mention their high financial costs. 


In the case of Colonial Pipeline, the ransomware payment alone 
cost the company EZ with additional system restoration 
costs estimated to be in the tens of millions. U.S. Homeland 
Security has cited losses from NotPetya, another “famous” 
ransomware variant, as high as EALO JIJI Ransom demands have 


also increased, with the Kaseya ransomware claiming the largest 


demand on record atsV/0) jill OP 


The delivery of these devastating attacks are almost always via an 
email phish. In fact, the ransomware categorization only happens 
at the very end of the attack chain when data is already lost and 

a ransom demanded. Other than backing up data and having a 
recovery plan, the most important thing an organization can do is 
to prevent that initial phish from getting in in the first place. 
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FIVE RECENT 
RANSOMWARE 
TRENDS 


Extortion is being 
used in conjunction 
with or as a backup 

for ransoms 


Phishing has replaced 
remote code execution 
(RCE) as the preferred 


delivery method 


The time between 
ransomware 
deployment to 
asset compromise 
has exponentially 
shortened 


Ransomware 
is increasingly sent 
via nested links 
in emails 


Threat actors 
are actively hiring 
in open marketplaces 
for “developers” 


, Seer 
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Ransomware: 


How Ransomware Gets 
Executed On Victim Systems 


Phishing emails are the first stage in 
the delivery mechanism 


First stage loaders establish persistence 
via remote access trojans (RATs) for recon 


Ultimate payload is delivered 


RANSOMWARE IS THE FINAL 
STAGE, NOT THE FIRST 
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ooo Ransomware 
attacks are typically 


delivered through 

o we a COMPROMISED +13, 2020 at 2:09 PM ae. 
j Q Re: my call SENDER i ' phishing attacks. 
To =æ mmer In this example, a 


Reply-To: SEEE compromised sender 
sends a phishing 
EXTERNAL EMAIL email to a partner 
company. Nested links 
E, | tried to call you twice today. lead to the download 
What skoit car ce oompa acaat ota eae aed to bitten Fom your einer ioaden 
To preview copy this link and paste to your browser: malware, which 
hiips:/idocs. google comu document/d/e/2PACX- aia eventually leads 
aL/pub — Saja maanen MALICIOUS to infection with 
= _ GOOGLE DOCS URL ) 
Ryuk ransomware. 
l ai a 
HR outsource specialist 


É Biank Page 
Fle Edt View Favorites Tools Help 


Customer Complaint.pdf Updated automatically every 5 minutes 

The attacker uses a 
legitimate service 
(Google Docs) to host 
a seemingly benign 
page, seen below. If 
clicked, the link on 
this page leads to 
the download of the 


Customer Complaint #10/13 


malicious payload. Customer Comolaint #10/13 for comnany emniavees 
ener een eerie 
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Top 10 Impersonated Brands 


Brand Impersonation: 
Fake It Til You Make It 2 O 


i2 Google 7 WW) Marketo” 


An Adobe Company 


Organizations use their branding to establish reputation and cultivate 
trust with their customers. Attackers take advantage of this trust by Bm Microsoft & Linked 
using brand impersonation in their attacks. 
4 @target > facebook 
Similar to identity deception, which we track separately, brand 
impersonation occurs when a threat actor impersonates a trusted 5 amazon a0 T-Mobile- 
company or well-known brand to add legitimacy to their phishing 
attack. Using stolen branding and images that are often identical to 


the legitimate brand, attackers use any methods to get victims to click. 
COVID Spotlight IDENTITY DECEPTI 
As we saw in the earlier BEC example with COVID lures, these As the use of web conference tools rae 
increased during the pandemic, 
attackers also began impersonating 


COVID as the main headline for the majority of 2020 and into 2021, web conference brands. Here are top 
are s t . web conference brands ranked based 
it’s no surprise that the World Health Organization (WHO) was the nhom often they Te spoofed: 

#1 most impersonated brand, beating annual “favorites” like Google, 


impersonations often focus on trending brands or events. With 


2.4% 
Microsoft and Target. 


® Zoom @ U 


gra BRAND IMPERSONATION 
@ webex @ O coajemect MAKES UP 2.4% OF ATTACKS 
BASED ON VOLUME 
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Like many other attacks, an increase in vishing 


Vishing: A Marriage of Inconvenience during a specific time period can indicate vishing 


campaigns. In our data, we saw a significantly 
high volume of vishing attacks in mid-September 


2020, with smaller campaigns occurring around 


An interesting trend in the intersection of voice and email threats is vishing. the winter holidays, February and May of 2021. 
Vishing, the short form for “voice phishing,” usually refers to the practice of 
leaving fake voice messages in hopes that victims will call back to provide Bescon ND ia Caa Delow. Visning Me mosi 

cyber attacks, occur most frequently on weekdays 


personal information which will be used in other attacks. RA : : : 
when victims are more likely to check their emails. 


In our case, we have observed attackers combining email and voice vectors 
by sending emails with attachments of a voicemail recording, media file or 

a link to one. We have also observed attackers sending emails that had 

no malicious payloads, just simply a phone number. The attackers purported nat 
to be from reputable companies to entice targets to call the number and 

reveal personal information, such as bank details and credit card numbers. 

In some cases, the attackers would also attempt to walk victims through a 80,000 


series of steps on their computers that would result in the download of 


malware or would enable remote access to their system. 
40,000 


Cloud providers and traditional email security providers like Microsoft 
tend to miss these attacks, especially when the malicious link is embedded in 

an attachment. Combining obfuscations and redirections, attackers know 0 ~ mmm n m a m an a nee 

these messages end up reaching the end user and will continue using APR MAY JUN JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY 


2020 2020 2020 2020 2020 2020 2020 2020 2020 2021 2021 2021 2020 2021 
these techniques until stopped. 
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Vishing Example 


IMPERSONATED SENDER: 
s KY5M-OGW@ATSON|.]NET 
In this example, the attacker uses 


display name spoofing to impersonate 
a legitimate organization. The email 

contains an .htm attachment purporting | B System® 7:38 AM 
to be a voicemail message. In actuality, New (22 seconds) message from (570) 3029-**** on February 18, 2021, 8:34:59 AM G 
the attachment contains a Javascript To: me 
redirection and obfuscated URL to 


redirect the victim to a credential 


harvester impersonating a Microsoft g 


n : 
VM_745281.htm HTML CONTAINS JS 
REDIRECTION USING 
OBFUSCATED URL, 
REDIRECTING TO: 


https://open.weprotect | 
[.Jxyz/?e=<encoded 
target email address> 


login page. 


Credential Harvester still 
active as of 2/19/2021 l 
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How Did We End Up Here? 


92% 


MORE THAN 92% OF 
USER-SUBMITTED REPORTS 
ARE NOT MALICIOUS 
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Unlike spam and commodity malware, targeted 


attacks make up a relatively low volume, yet can cause 


substantial damage, as examples in this report indicate. 


Attackers use a variety of tactics and techniques 

to evade detection from email providers and 

secure email gateways (SEGs). Tactics like leveraging 
stolen credentials fly under the radar since legitimate 
accounts and logins are used. Newly created domains 
used to spoof legitimate domains do not have any 
malicious reputation so can easily be missed by legacy 


security systems. 


DOES SECURITY AWARENESS 
TRAINING AND USER- 
REPORTED PHISH WORK? 


Security awareness training can be beneficial 
from an educational and awareness 
perspective, but it’s not always effective 

at stopping threats. Many attacks use 
sophisticated impersonation techniques 

that fool all but the most skilled trained 
professionals. Not to mention with account 
takeover attacks, the victim typically does 
not even know they have been compromised. 


User-submitted phish is often inaccurate and 
relying on these reports can increase time 
and resource costs for both end users and 
the IT/security department. In our findings, 
more than 92.1% of user-submitted “phish” 
were actually benign, spam or bulk mail. At 
the same time, security teams chasing after 
false-positives means less time to find and 
investigate actual threats. 
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Missed Threats within a One Month Period 


Each row of missed threats in the chart below make up less than a 0.5% of that month’s email traffic, but it just takes one 


missed threat to cause a security disaster. Our last column may also help put these threats in a different perspective. 


ORGANIZATION EMAIL SECURITY MISSED TOTAL EMAIL 
INDUSTRY SYSTEM USED THREATS VOLUME In Other Words.... 


Insurance 
Software 


Pharmaceutical 


Food and 
Beverage 


Education 
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517,968 


448,440 


105,603 


90,763 


103 0272539. 


432,611,141 


420,088,334 


420,088,334 


More than half a million 
chances of a successful attack 


Almost 15,000 threats in 
inboxes per day for users to deal with 


3,500+ user submissions a day 
IT has to deal with 


45,000+ investigative hvours 
for security teams 
(at only 30 min per incident) 
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Recommendations 


Cyber criminals are always innovating, and staying a step ahead of them can be a challenge without the right people, processes and tools. 


Here are our top recommendations to keep targeted threats 


LOCK DOWN IDENTITY 


With attackers taking the easy route of 
stealing credentials, secure accounts and 
identities by adding additional protection 
likemulti-factor authentication (MFA). 


Never reuse passwords and 


always change default passwords. 
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out of your organization’s inboxes. 


ESTABLISH 
PROTOCOLS AND 
PROCEDURES AGAINST 
FINANCIAL FRAUD 


Establish and train on procedures to prevent 
financial loss in the case of BEC and financial 
fraud, such as requiring multiple approvers 
or “out-of-band” vendor verifications for 


transferring funds to new accounts. 


Train users to avoid clicking on malicious 
content in phishing emails, but also train 


them on what to doif they fall for the phish. 


TAKE A ZERO TRUST 
APPROACH WITH EMAIL 


With email as the number one 
communication vehicle for organizations 
and attackers’ rampant use of spoofing, 
it’s imperative to verify all communication 


that happens within email. 


Remove implicit trust by assessing the 
validity of messages beyond the sender 

to reduce risk from compromised partners. 
Choose a security system that can detect 
compromises and apply controls around 
compromised communications to extend 


zero trust to email. 
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Recommendations 


Cyber criminals are always innovating, and staying a step ahead of them can be a challenge without the right people, processes and tools. 


Here are our top recommendations to keep targeted threats out of your organization’s inboxes. 


DON’T ALWAYS BELIEVE FOCUS ON PREEMPTION 
WHAT YOU SEE 


Brand impersonations have gotten better 


Threats are always easier to deal with 
before they reach end users. Implement 
security awareness, but don’t rely on users 
to be the front line defense. With the 


majority of modern attacks starting with a 


with attackers hiring designers and stealing 
logos. Invest in solutions with advanced 


technologies like optical character 


recognition (OCR) parsing and natural phishing email, deploy a preemptive email 


language understanding (NLU) modeling security solution to keep threats out of your 


to accurately detect phishing emails organization in the first place. Choose a 


using impersonation and identity cloud-based, dynamically scalable solution 


deception techniques. that uses advanced technologies to track 
attacker infrastructure to truly preempt 


attacks before they reach inboxes. 
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Area 1 Security uses advanced 
techniques, wide-scale threat indexing 
and attacker infrastructure tracking to 
preemptively detect and stop malicious 

attacks like those seen in this report 
from ever reaching inboxes. 


To find out more about the 
attacks we’re discovering, or to see 
what threats are already in your 
organization, we invite you to 


SCHEDULE A COMPLIMENTARY 
PHISHING RISK ASSESSMENT 
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Appendix: 


Credential Harvester — Credential 
harvesters are sites set up by an attacker 
to deceive users into providing their login 
credentials. This type of attack presents 
the user with a page that imitates an 
account login page. Unwitting users who 
enter their credentials unknowingly provide 
attackers with the credentials to their 
accounts. 


Identity Deception — Identity deception 
occurs when an attacker or someone with 
malicious intent sends an email claiming 
to be someone else. The mechanisms and 
tactics of this vary widely. Some tactics 
include registering domains that look 
similar (aka domain impersonation), are 
spoofed, or utilize display name tricks 

to appear to be sourced from a trusted 
domain. Other variations include sending 
email utilizing domain fronting and high 
reputation web services platforms such as 
G-Suite and 0365. 


Link — When clicked, a link will open the 
user’s default web browser and render the 
data referenced in the link, or open an 
application directly (e.g. a PDF). Since the 
display text for a link (i.e., hypertext) in 
HTML can be arbitrarily set, attackers can 
make a URL look like it links to something 
benign while it is actually malicious. 
Malicious links can lead to arbitrary code 
execution or Remote Code Execution 
(RCE), credential harvesting, click fraud, 
unwanted installs or other compromises. 
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Attachment — An attachment is any file 
attached to an email that, when opened 
or executed, performs a series of actions 
set by an attacker. Attachments can often 
masquerade as other file types by using 
mismatching extensions or otherwise 
deceptive file names. Attachments can 
lead to malware installation, such as 
backdoors and remote access trojans 
(RATs), or contain links to other malicious 
content and files. 


Brand Impersonation — Brand 
Impersonation occurs when a threat actor 
impersonates a trusted company or well- 
known brand to add legitimacy to their 
phishing attack. 


Extortion — Extortion is a tactic used 

to coerce an entity to perform a set of 
actions they would not otherwise perform. 
Extortion is identified when an attacker 
contacts intended victims with instructions 
to follow in order to avoid compromise or 
release of sensitive data. Unfortunately, 
even following attacker instructions can 
still result in compromise. For this report, 
scareware is also included in this category. 
Scareware is a form of malware which uses 
social engineering to cause shock, anxiety, 
or the perception of a threat to manipulate 
users into downloading and/or buying 
unwanted software. Usually the purported 
malware isn’t real and the software is 
non-functional or malware itself. 


Threat Type Descriptions 


Scam — A scam is a broad category of 
fraud with the purpose of enticing a 
victim to provide money with the promise 
of a significant sum in return. The victim 
can be led to believe they are making an 
investment, which may involve the sender 
promising to pay the victim a large sum to 
transfer or process money, or may simply 
involve funding a fraudulent company 

for example. 


BEC — Business Email Compromise (BEC) 
is an increasingly common, effective 

and costly targeted email attack that 

is designed to trick recipients into 
transferring funds, typically through 
forged invoices, to scammer accounts. 
BEC falls into various categories based on 
its sophistication, ranging from using a 
spoofed email to compromising a vendor 
in a supply-chain attack. In the latter 
example, it is not uncommon for the 
process to play out over several weeks 
while the scammer is grooming the victim 
by email and/or occasionally by phone. 
Our BEC ebook discusses the different 
types of BEC in more detail. 


Dropper — A dropper is a malicious 
executable binary whose purpose is to 
decrypt, unobfuscate and/or extract a 
secondary malicious payload. Along with 
the malicious payload, the dropper may 
open a benign lure document to serve 

as distraction against the human target 
during the infection process. Typically, a 
dropper is extracted from a carrier file such 
as an Microsoft Office document, PDF, or 
other common container style document. 
Carrier files are usually engineered with an 
exploit that causes the viewing application 
to begin executing the attacker's code, 
leading to executing of the dropper and 
installation of malware. 


Other — For the purpose of this report, 
other threat detection categories with 
statistically insignificant numbers have 
been consolidated into the “other” 
category. This includes IP policy (detection 
based on a customer-specific policy), 
target development (attacker information- 
gathering to facilitate a successful attack) 
and encrypted email (phishing messages 
that contain encrypted content as a means 
to circumvent email security systems), 
among others. 


